Movatterモバイル変換

[0]ホーム
URL:

US10623373B2 - Methods and apparatus to provide a distributed firewall in a network - Google Patents

Methods and apparatus to provide a distributed firewall in a networkDownload PDF

Info

Publication number
US10623373B2
US10623373B2US15/594,010US201715594010AUS10623373B2US 10623373 B2US10623373 B2US 10623373B2US 201715594010 AUS201715594010 AUS 201715594010AUS 10623373 B2US10623373 B2US 10623373B2
Authority
US
United States
Prior art keywords
firewall
software
network node
network
defined network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US15/594,010
Other versions
US20170250955A1 (en
Inventor
Dustin Grant
Sandeep Gupta
Sridhar Narahari
Michael J. Satterlee
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AT&T Intellectual Property I LP
Original Assignee
AT&T Intellectual Property I LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by AT&T Intellectual Property I LPfiledCriticalAT&T Intellectual Property I LP
Priority to US15/594,010priorityCriticalpatent/US10623373B2/en
Publication of US20170250955A1publicationCriticalpatent/US20170250955A1/en
Assigned to AT&T INTELLECTUAL PROPERTY I, L.P.reassignmentAT&T INTELLECTUAL PROPERTY I, L.P.ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: SATTERLEE, MICHAEL J., GRANT, DUSTIN, NARAHARI, SRIDHAR, GUPTA, SANDEEP
Priority to US16/836,514prioritypatent/US11044232B2/en
Application grantedgrantedCritical
Publication of US10623373B2publicationCriticalpatent/US10623373B2/en
Priority to US17/321,566prioritypatent/US11665140B2/en
Priority to US18/302,030prioritypatent/US12166746B2/en
Expired - Fee Relatedlegal-statusCriticalCurrent
Adjusted expirationlegal-statusCritical

Links

Images

Classifications

Definitions

Landscapes

Abstract

Methods and apparatus to provide a distributed firewall in a network are disclosed. An example method includes identifying, at a control plane, a network traffic rule to implement in a network, and determining a first firewall of a distributed firewall in the network to enforce the network traffic rule. Example methods also configure a first software-defined network node to route network traffic to the first firewall. The first firewall is instantiated by a first firewall instance at a second software-defined network node and by a second firewall instance at a third software-defined network node. In response to determining at least some of the network traffic forwarded by the first software-defined network node to the second and third software-defined network nodes is being dropped at the first and second firewall instances, example methods also cause the first software-defined network node to implement a third firewall instance.

Description

RELATED APPLICATIONS
This patent arises from a continuation of U.S. patent application Ser. No. 14/271,185, entitled, “METHODS AND APPARATUS TO PROVIDE A DISTRIBUTED FIREWALL IN A NETWORK,” filed May 6, 2014 (now U.S. Pat. No. 9,674,147). Priority to U.S. patent application Ser. No. 14/271,185 is claimed and U.S. patent application Ser. No. 14/271,185 is hereby incorporated herein by reference in its entirety
BACKGROUND
In known communications networks, network functions are performed using specialized hardware that accelerates one or more functions relative to general-purpose machines. Control and configuration of the network is generally performed by accessing a device to be configured and performing configuration tasks specific to the hardware in the device.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram of an example software-defined network constructed in accordance with the teachings of this disclosure to provide a distributed firewall in the software-defined network.
FIG. 2 is a block diagram of an example software-defined networking firewall controller constructed in accordance with the teachings of this disclosure to control a distributed firewall in a software-defined network.
FIG. 3 is a block diagram of an example SDN node to implement a firewall policy.
FIG. 4 is a flowchart representative of example machine readable instructions which may be executed to implement the example software-defined networking firewall controller ofFIGS. 1 and/of2 to control a distributed firewall in a software-defined network.
FIG. 5 is a flowchart representative of example machine readable instructions which may be executed to implement the example software-defined networking node ofFIGS. 1 and/or 3 to implement a distributed firewall policy.
FIG. 6 is a block diagram of an example processor platform capable of executing the instructions ofFIGS. 4 and/or 5 to implement the apparatus ofFIGS. 1, 2, and/or3.
The figures are not to scale. Wherever appropriate, the same reference numbers will be used throughout the drawing(s) and accompanying written description to refer to the same or like parts.
DETAILED DESCRIPTION
Software-defined networking (SDN) is a network technology that addresses customization and optimization concerns within networks. SDN simplifies modern networks by decoupling the data-forwarding capability (e.g. the data plane or forwarding plane) from routing, resource, and other management functionality (e.g., the control plane). Both the control plane and data plane functions are performed at the network nodes in known networks. Network nodes that support SDN (e.g., that are SDN-compliant) may be configured to implement data plane functions. Control plane functions are performed by an SDN controller. SDN networks currently use Application Programming Interface (API) services, such as the OpenFlow protocol or OnePK protocol, to manage the interactions between the data plane and the control plane.
Known implementations of network firewalls are centralized and operate independently of other firewalls and network elements. Known methods of operating firewalls independently of each other leads to requirements including a) funneling traffic (e.g., all traffic on the network) from the entry points through the firewalls to apply firewall policies and/or b) placing firewalls in every physical or logical location that a policy is needed, which increases infrastructure costs. Firewall hardware costs, limits on scalability, management costs, and deployment complexity limits the number of firewalls that can be cost-effectively deployed in a network. As a result, network traffic using known firewalls often must traverse a substantial portion of the network to reach the firewall. When such traffic is dropped due to the firewall policies, network capacity used to carry the dropped traffic to the firewall is wasted.
Examples disclosed herein solve problems associated with known firewall implementations by using SDN to provide a distributed firewall application. In some examples, the distributed firewall application permits any and/or every SDN node or element in a software-defined network to be programmed to provide firewall services, thereby reducing the need for funneling traffic and decreasing infrastructure costs.
Examples disclosed herein deploy and manage instances of the firewall from a central management server or SDN node (e.g., an SDN firewall controller). SDN firewall controllers in disclosed examples define and analyze firewall policies for implementation in software-defined networks. As a result, security policies can be applied throughout a network (e.g., closer to data entry points rather than closer to a data destination). Examples disclosed herein enable the network to change a network wide security policy as often as needed to maintain network security and performance. For example, example networks may update the firewall policies across the network, as often as every time a user logs onto the network, to accommodate the security policy of that specific user, the device(s) the user is using to access the network, and the resources to which the user needs access. In contrast, known firewalls are updated only when a firewall policy update can be designed for each type of firewall in the network. Thus, in contrast to the relatively static firewalls of known networks, example SDN firewalls disclosed herein are dynamic and adapt to the current circumstances and use(s) of the network.
Examples disclosed herein identify, at a control plane, a network traffic rule to implement in a network; determine, at the control plane, a distributed firewall for a first firewall in the network to enforce the network traffic rule; instruct, using the control plane, a first software-defined networking node to instantiate the first firewall of the distributed firewall; configure a second software-defined networking node to route network traffic through the first firewall; and instruct the first software-defined networking node to enforce the network traffic rule.
In some examples, instructing the first software-defined networking node to instantiate the first firewall includes instructing the first software-defined networking node to instantiate a virtual machine to implement a firewall software application. Some examples further include instructing a third software-defined networking node to modify a first firewall policy of a second firewall at the third software-defined networking node to enforce the network traffic rule. In some such examples, instructing the third software-defined networking node includes instructing the third software-defined networking node to execute the second firewall using the first firewall policy, and instructing the first software-defined networking node to enforce the network traffic rule comprises instructing the first software-defined networking node to execute the first firewall using a second firewall policy, the first firewall policy being independent from the second firewall policy. In some examples, the first and second firewalls are part of the distributed firewall.
In some examples, the first software-defined networking node is an edge network node. Some examples further identify, at the control plane, a change to the network traffic rule to implement in the network; identify, at the control plane, a set of software-defined networking nodes on which firewalls of the distributed firewall are implemented; and transmit instructions from the control plane to the set of software-defined networking nodes to cause the firewalls to implement the change to the network traffic rule, the instructions to the software-defined networking nodes in the set being respectively customized for the firewall to which the instructions are transmitted.
In some examples, determining the distributed firewall for the network to enforce the network traffic rule includes determining, at the control plane, a portion of the network to which the network traffic rule is to be applied; identifying, at the control plane, software-defined networking nodes in the network to serve the portion of the network; transmitting instructions to a first portion of the identified software-defined networking nodes to cause the first portion of the identified software-defined networking nodes to instantiate respective firewall software applications; and transmitting instructions to the identified software-defined networking nodes to cause the identified software-defined networking nodes to implement the traffic rule via respective firewall software applications.
FIG. 1 is a block diagram of an example software-defined network100 constructed in accordance with the teachings of this disclosure to provide a distributed firewall in the software-defined network100. The example software-defined network100 is divided into acontrol plane102 and adata plane104. Theexample control plane102 is implemented using one or more SDN nodes (e.g., computing devices), but is illustrated inFIG. 1 as a single logical entity.
Thecontrol plane102 includes one or more control devices that execute anetwork operating system106 to control (e.g., configure, monitor) devices in thedata plane104. The examplenetwork operating system106 executes one or more SDN applications including anSDN firewall controller110. The examplenetwork operating system106 supports theSDN firewall controller110 and/or any additional SDN applications executed at thenetwork operating system106.
As disclosed below in more detail, the exampleSDN firewall controller110 controls, via thenetwork operating system106, a distributed firewall that is implemented via thedata plane104. As described in more detail below, the distributed firewall provides network traffic filtering to enhance security, reliability, and/or efficiency of the network. The distributed firewall of the example ofFIG. 1 may include firewall services for private or virtual private networks, and/or any other firewall services (e.g., specialized firewall services) desired by users of the network.
Theexample data plane104 ofFIG. 1 includes SDN nodes112-118 (e.g., computing devices, network nodes) that implement the functions of the network (e.g., filtering, routing, etc.) for network traffic. The example SDN nodes112-118 are controlled (e.g., configured) by the example control plane102 (e.g., by the network operating system106), which accesses application programming interfaces (APIs) of the SDN nodes112-118 to configure the network services being provided by the SDN nodes112-118. In some examples, thenetwork operating system106 abstracts all or part of the APIs of the SDN nodes112-118 for access by theSDN firewall controller110. Abstracting the APIs enables the SDN firewall controller to access the API via thenetwork operating system106 using a consistent set of commands and/or configuration routines, which are then implemented by thenetwork operating system106 on the desired nodes112-118 (e.g., nodes indicated as arguments in the API call) using device-specific commands and/or configuration routines.
The example SDN nodes112-118 operate as gateways, edge routers, and/or core routers. The SDN nodes112-118 are configurable by thecontrol plane102 to implement any set or subset of SDN services. Examples of SDN services include routing, traffic filtering, and/or load balancing. The examplenetwork operating system106 ofFIG. 1 configuresrespective devices120, which may be consumer devices, routers, gateways, and/or edge routers, and/or SDN nodes implementing such consumer and/or networking devices, to route traffic to the SDN nodes112-118 based on forwarding tables and/or other rules.
In the example ofFIG. 1, each of theSDN nodes112,114, and116 implements arespective firewall instance122,124,126. Each of the firewall instances122-126 may be configured by theSDN firewall controller110 independently of other ones of the firewall instances122-126. Accordingly, examples disclosed herein treat each of the firewall instances122-126 as instances of a firewall service. However, the firewall instances122-126 collectively provide a distributed firewall for the software-definednetwork100 to implement the firewall strategy as it is defined at theSDN firewall controller110.
In the example ofFIG. 1, theSDN node118 does not implement an instance of the distributed firewall service (e.g., a firewall instance). Instead, thenetwork operating system106 and/or theSDN firewall controller110 configures the SDN node118 (e.g., a gateway, an edge router) to route network traffic through one or more of theSDN nodes114,116, which are executingfirewall instances124,126. In some cases, routing the traffic to the SDN node(s)114,116 for filtering via thefirewall instances124,126 is problematic. For example, if substantial amounts of network traffic are forwarded by theSDN node118 to theSDN nodes114,116 only to be dropped by thefirewall instances124,126, the forwarding resources of the SDN nodes114-118 are wasted on the dropped traffic. Additionally or alternatively, one or both of thefirewall instances124,126 may become bottlenecks in traffic flow from thedevices120 due to traffic entering thenetwork100 at theSDN nodes114,116, traffic forwarded by theSDN node118 to theSDN nodes114,116, or both.
When the exampleSDN firewall controller110 recognizes these or other problems, theSDN firewall controller110 of the illustrated example may alleviate the problem by instantiating a firewall service at theSDN node118. In contrast to known networks that require specialized firewall hardware to be physically installed and/or configured, the exampleSDN firewall controller110 ofFIG. 1 transmits instructions to theSDN node118 via thenetwork operating system106 to cause theSDN node118 to instantiate a new firewall instance in software, thereby enhancing the performance of the firewall services of the software-definednetwork100 and adapting the firewall strategy to real time network conditions. The example software-definednetwork100 illustrated inFIG. 1 can nearly instantly respond to network conditions involving the distributed firewall.
The SDN nodes implementing thecontrol plane102 in the example ofFIG. 1 are different nodes than theSDN nodes112,114,116,118 implementing thedata plane104. For example, thecontrol plane102 may include one ormore SDN nodes128 to implement thenetwork operating system106 and/or theSDN firewall controller110. Theexample SDN nodes128 of thecontrol plane102 communicate with the nodes112-118 via control paths of thenetwork130. While only 5 nodes112-118,128 are shown in theexample network100 ofFIG. 1, a network may have hundreds, thousands, or more nodes. In some examples, one ormore SDN nodes112,114,116,118 implementing thedata plane104 also implement thecontrol plane102.
FIG. 2 is a block diagram of an example implementation of the exampleSDN firewall controller110 ofFIG. 1. The exampleSDN firewall controller110 ofFIG. 2 is implemented on one or more SDN nodes (e.g., theSDN node128 ofFIG. 1), which may be separate from SDN nodes112-118 implementing thedata plane104 and/or may also implement thedata plane104.
The exampleSDN firewall controller110 ofFIG. 2 includes afirewall policy interpreter202, afirewall node identifier204, afirewall instruction generator206, and afirewall configuration database208. In the example ofFIG. 1, firewall configuration (e.g., all firewall configuration) occurs via theSDN firewall controller110 and/or is controlled by theSDN firewall controller110. Thus, the exampleSDN firewall controller110 of the illustrated example has knowledge of the firewall configuration of the software-definednetwork100 and implements any and all user firewall configuration commands (e.g., all configuration commands) at the firewall nodes. The exampleSDN firewall controller110 of the illustrated example also has (and/or can rapidly obtain from the network operating system106) knowledge of the physical and/or logical topologies of the software-definednetwork100 and/or the statuses (e.g., configurations, operational statuses, etc.) of the nodes112-118.
In the example ofFIG. 2, the SDN firewall controller110 (e.g., via thefirewall policy interpreter202 ofFIG. 2) receives and/or identifies network traffic rules for implementation in the software-definednetwork100. For example, a network administrator may define and/or provide a filtering policy or rule to thefirewall policy interpreter202 for instructing the software-definednetwork100 to drop packets having a particular source Internet Protocol (IP) address. Another example rule may include granting a defined group of users in a system (e.g., a “marketing” group, a “field technicians” group, etc.) access to a designated set of applications in a corporate virtual private network. Rules provided manually may be provided using a user interface, a rule description language, and/or any other interface mechanism implemented in the software-definednetwork100.
Additionally or alternatively, the examplefirewall policy interpreter202 may receive a firewall policy or rule that is automatically generated by a security service based on activity in the network (e.g., by traffic analysis of the software-defined network). For example, thefirewall policy interpreter202 may receive a firewall rule to temporarily block traffic destined for a particular port at a particular IP address. The examplefirewall policy interpreter202 may determine that the firewall rule is to be implemented at each firewall instance122-126 in the software-defined network100 (e.g., to drop packets matching the filter rule as early as possible).
The examplefirewall node identifier204 of the illustrated example determines a firewall configuration (e.g., identifies firewall nodes) for the software-definednetwork100 to enforce the network traffic rule. For example, some network traffic rules may affect only a limited number of firewall applications and/or SDN nodes112-118. The example firewall rule may then be selectively applied to the firewall instances and/or applications executing on those SDN nodes112-118 to reduce the processing resource requirement on SDN nodes112-118 that do not need to implement the policy. On the other hand, other network traffic rules may require all of the firewall instances in the software-definednetwork100 to be instructed to implement the traffic rule.
In some examples, thefirewall policy interpreter202 determines that the distributed firewall is a traffic bottleneck at a particular node. In some such examples, thefirewall node identifier204 may determine that creating one or more additional firewall instances at designated nodes112-118 (which may or may not already have a firewall instance such as thenode118 ofFIG. 1) are to be created to handle the traffic, and/or that the traffic destined for the bottleneck firewalls may be redistributed to other SDN nodes112-118 executing the firewall instances and/or applications.
Thefirewall node identifier204 of the example ofFIG. 2 determines the appropriate instances122-126 and/or nodes112-118 ofFIG. 1 for efficient implementation of the firewall, including adding firewall instances, migrating firewall instances between nodes, eliminating firewall instances, and/or updating firewall instances and/or routing forwarding tables of other nodes112-118 and/ordevices120.
The examplefirewall instruction generator206 ofFIG. 2 instructs (e.g., via the network operating system106) the appropriate SDN node112-118 to instantiate firewall(s). For example, thefirewall instruction generator206 generates instructions for transmission to a first one of the SDN nodes112-118 (e.g., to theSDN node112 via an SDN API of the SDN node112). In this example, the instructions cause the SDN node112-118 to instantiate a virtual machine and implement (e.g., install, load, etc.) a firewall application for execution on the virtual machine. The SDN node(s)112-118 provide the hardware (e.g., computing, communications) resources used by the corresponding virtual machine(s) and the firewall application(s) to perform the firewall actions. In some examples, a given SDN node112-118 is already executing one or more firewall instances and instantiates an additional firewall instance in response to the instruction from thefirewall instruction generator206.
The examplefirewall configuration database208 ofFIG. 2 stores the firewall configuration of the software-definednetwork100. For example, thefirewall configuration database208 stores the locations of the firewall instances122-126 (e.g., physical locations and/or virtual locations), the firewall policies and/or rules configured at the firewall instances122-126, and/or portions of the software-defined network that are served by the firewall instances122-126. For example, some firewall instances may be configured to serve a particular virtual private local area network, while other firewall instances may be configured to serve traffic routed through a public network. In some examples, a subset of gateways, edge routers, and/or core routers in thenetwork100 are served by a particular firewall instance (e.g., executing on one or more of the SDN node(s)112-118).
In the illustrated example, when a firewall instance is created at an SDN node112-118, the examplefirewall node identifier204 selects the gateways, edge routers, and/or core routers and thefirewall instruction generator206 configures them to route traffic for filtering by the firewall instance. The examplefirewall configuration database208 ofFIG. 2 stores the information associated with the newly-instantiated firewall instance for reference by thefirewall policy interpreter202, thefirewall node identifier204, and/or thefirewall instruction generator206.
In the example ofFIG. 2, the examplefirewall configuration database208 also stores firewall audit logs obtained from the firewall instances in response to success/fail audits of the firewall instances. Additionally or alternatively, thefirewall configuration database208 stores notable network events from the firewall instances. The examplefirewall policy interpreter202 of the illustrated example analyzes the disparate network events from the firewall instances that are distributed across the software-definednetwork100 to identify traffic trends (e.g., increasing traffic from and/or in a portion of the network) and/or identify distributed attacks (e.g., distributed denial of service attacks). In response to identifying trends and/or attacks, thefirewall policy interpreter202 ofFIG. 2 generates remedial firewall rules or policies for implementation at the firewall instances.
In the example ofFIG. 2, after instructing an SDN node112-118 to create a firewall instance (or if the firewall instance is already present), the examplefirewall instruction generator206 configures one or more other software-defined networking nodes (e.g., network gateways, edge routers, etc.) to route network traffic through the firewall instance. In some examples, thefirewall node identifier204 identifies ones of the SDN nodes112-118 and/or thedevices120 in the software-definednetwork100 that are to be configured to route traffic to the newly-instantiated firewall instance.
The examplefirewall instruction generator206 also instructs the firewall instance executing on the SDN node112-118 to enforce the network traffic rule as interpreted by thefirewall policy interpreter202. For example, thefirewall instruction generator206 generates and sends instructions to the firewall instance via thenetwork operating system106.
FIG. 3 is a block diagram of anexample SDN node300 to implement a firewall policy. Theexample SDN node300 ofFIG. 3 may implement any of the example SDN nodes112-118 ofFIG. 1. Theexample SDN node300 ofFIG. 3 includes apacket forwarder302, aservice manager304, afirewall instance306, and one or more other virtual service instance(s)308.
Theexample packet forwarder302 ofFIG. 3 executes on the underlying hardware of theSDN node300, including processor(s), memory, and/or communications interfaces (e.g., incoming data ports, outgoing data ports, hardware interconnects, etc.). Theexample packet forwarder302 of this example receives network traffic (e.g., data packets), processes the traffic in accordance with the services executing on the SDN node300 (e.g., thefirewall instance306 and/or other virtual service instances308), and forwards the traffic or drops the traffic accordingly. In some examples, thepacket forwarder302 executes on and/or is implemented by multiple scalable hardware devices controlled as a single logical device by theservice manager304.
Theexample service manager304 ofFIG. 3 manages services executing on theSDN node300 and provides an interface between theservices306,308 and thepacket forwarder302. For example, theservice manager304 may include a virtual machine manager that managesvirtual machines310 implementing SDN services and/or software applications. Examples of such services that are managed by theservice manager304 include thefirewall instance306. Theservice manager304 may support any number of virtual services. Additionally or alternatively, theservice manager304 provides access for thefirewall instance306 to the hardware resources of thepacket forwarder302 to, for example, enable thefirewall instance306 to apply the firewall rules to the traffic received at thepacket forwarder302. In some examples, theservice manager304 configures thefirewall instance306 such that thefirewall instance306 logically receives the traffic that is received at thepacket forwarder302. Theservice manager304 further provides thefirewall instance306 with the processing resources to apply the firewall rules to thepacket forwarder302.
Theservice manager304 ofFIG. 3 exposes an API that may be accessed by thenetwork operating system106 and/or theSDN firewall controller110 ofFIG. 1. For example, theservice manager304 receives instructions from theSDN firewall controller110 ofFIG. 1 via the API for implementing and/or configuring the firewall instance306 (and/or additional firewall instances). Theservice manager304 instantiates thefirewall instance306 in avirtual machine310, for example, in response to an instruction from thefirewall instruction generator206 to instantiate a firewall.
In some examples, theservice manager304 exposes a specialized API in response to instantiating thefirewall instance306. For example, theexample service manager304 provides configuration information to thefirewall instance306 when theservice manager304 receives, via a public or private firewall API (e.g., an API that provides access to functions specific to the firewall) of theservice manager304, instructions from thefirewall instruction generator206 that include configuration instructions.
While an example manner of implementing the software-definednetwork100, theSDN firewall controller110, and the SDN nodes112-118 is illustrated inFIGS. 1, 2, and 3, one or more of the elements, processes and/or devices illustrated inFIGS. 1, 2, and 3 may be combined, divided, re-arranged, omitted, eliminated and/or implemented in any other way. Further, theexample control plane102, theexample data plane104, the examplenetwork operating system106, the exampleSDN firewall controller110, the example SDN nodes112-118, theexample devices120, the example firewall services122-126, the examplefirewall policy interpreter202, the examplefirewall node identifier204,firewall instruction generator206,firewall configuration database208, theexample packet forwarder302, theexample service manager304, theexample firewall instance306 and/or, more generally, the example service-definednetwork100 ofFIG. 1 may be implemented by hardware, software, firmware and/or any combination of hardware, software and/or firmware. Thus, for example, any of theexample control plane102, theexample data plane104, the examplenetwork operating system106, the exampleSDN firewall controller110, the example SDN nodes112-118, theexample devices120, the example firewall services122-126, the examplefirewall policy interpreter202, the examplefirewall node identifier204,firewall instruction generator206,firewall configuration database208, theexample packet forwarder302, theexample service manager304, theexample firewall instance306 and/or, more generally, the example service-definednetwork100 could be implemented by one or more analog or digital circuit(s), logic circuits, programmable processor(s), application specific integrated circuit(s) (ASIC(s)), programmable logic device(s) (PLD(s)) and/or field programmable logic device(s) (FPLD(s)). When reading any of the apparatus or system claims of this patent to cover a purely software and/or firmware implementation, at least one of theexample control plane102, theexample data plane104, the examplenetwork operating system106, the exampleSDN firewall controller110, the example SDN nodes112-118, theexample devices120, the example firewall services122-126, the examplefirewall policy interpreter202, the examplefirewall node identifier204,firewall instruction generator206,firewall configuration database208, theexample packet forwarder302, theexample service manager304, and/or theexample firewall instance306 is/are hereby expressly defined to include a tangible computer readable storage device or storage disk such as a memory, a digital versatile disk (DVD), a compact disk (CD), a Blu-ray disk, etc. storing the software and/or firmware. Further still, the example the example service-definednetwork100 ofFIG. 1 may include one or more elements, processes and/or devices in addition to, or instead of, those illustrated inFIGS. 1, 2, and/or3, and/or may include more than one of any or all of the illustrated elements, processes and devices.
Flowcharts representative of example machine readable instructions for implementing theSDN firewall controller110 and/or theSDN node300 ofFIGS. 1, 2, and/or3 are shown inFIGS. 4 and 5. In this example, the machine readable instructions comprise programs for execution by a processor such as theprocessor612 shown in theexample processor platform600 discussed below in connection withFIG. 6. The programs may be embodied in software stored on a tangible computer readable storage medium such as a CD-ROM, a floppy disk, a hard drive, a digital versatile disk (DVD), a Blu-ray disk, or a memory associated with theprocessor612, but the entire programs and/or parts thereof could alternatively be executed by a device other than theprocessor612 and/or embodied in firmware or dedicated hardware. Further, although the example programs are described with reference to the flowcharts illustrated inFIGS. 4 and 5, many other methods of implementing the exampleSDN firewall controller110 and/or theexample SDN node300 may alternatively be used. For example, the order of execution of the blocks may be changed, and/or some of the blocks described may be changed, eliminated, or combined.
As mentioned above, the example processes ofFIGS. 4 and/or 5 may be implemented using coded instructions (e.g., computer and/or machine readable instructions) stored on a tangible computer readable storage medium such as a hard disk drive, a flash memory, a read-only memory (ROM), a compact disk (CD), a digital versatile disk (DVD), a cache, a random-access memory (RAM) and/or any other storage device or storage disk in which information is stored for any duration (e.g., for extended time periods, permanently, for brief instances, for temporarily buffering, and/or for caching of the information). As used herein, the term tangible computer readable storage medium is expressly defined to include any type of computer readable storage device and/or storage disk and to exclude propagating signals and transmission media. As used herein, “tangible computer readable storage medium” and “tangible machine readable storage medium” are used interchangeably. Additionally or alternatively, the example processes ofFIGS. 4 and/or 5 may be implemented using coded instructions (e.g., computer and/or machine readable instructions) stored on a non-transitory computer and/or machine readable medium such as a hard disk drive, a flash memory, a read-only memory, a compact disk, a digital versatile disk, a cache, a random-access memory and/or any other storage device or storage disk in which information is stored for any duration (e.g., for extended time periods, permanently, for brief instances, for temporarily buffering, and/or for caching of the information). As used herein, the term non-transitory computer readable medium is expressly defined to include any type of computer readable storage device and/or storage disk and to exclude propagating signals and transmission media. As used herein, when the phrase “at least” is used as the transition term in a preamble of a claim, it is open-ended in the same manner as the term “comprising” is open ended.
FIG. 4 is a flowchart representative of example machinereadable instructions400 which may be executed to implement the exampleSDN firewall controller110 ofFIGS. 1 and/or 2 to control a distributed firewall in the software-definednetwork100 ofFIG. 1.
The examplefirewall policy interpreter202 ofFIG. 2 identifies a traffic rule for implementation in a software-defined network (block402). For example, thefirewall policy interpreter202 may receive a rule configuration from an administrator of the software-definednetwork100 and/or may receive a network traffic rule from a traffic analyzer. The examplefirewall policy interpreter202 determines a firewall configuration for the network to enforce the network traffic rule (block404). For example, thefirewall policy interpreter202 may determine a physical location, a virtual location, a subset of thenetwork100 to be served by the rule, traffic characteristics to result in filtering traffic, and/or any other configuration details to implement the network traffic rule.
The examplefirewall node identifier204 selects a firewall instance associated with the firewall configuration (block406). For example, the firewall instance may be selected based on network conditions and/or the firewall policy being enacted. The examplefirewall node identifier204 determines whether the selected firewall instance is instantiated (block408). For example, thefirewall node identifier204 may determine whether a firewall instance determined by thefirewall rule interpreter202 as part of the rule is identified or stored in thefirewall configuration database208. If the selected firewall instance is not instantiated (block408), the examplefirewall instruction generator206 instructs a physical SDN node (e.g., one of the SDN nodes112-118,300 ofFIGS. 1 and/or 3) to instantiate a firewall application (e.g., the firewall services122-126,306 ofFIGS. 1 and/or 3) (block410). For example, thefirewall instruction generator206 generates instructions to access the API of theSDN node300. The instructions cause theSDN node300 to instantiate avirtual machine310 and to implement the firewall service on the newly-instantiatedvirtual machine310.
After instructing the physical SDN node to instantiate the firewall application (block410), or if the selected firewall instance is already instantiated (block408), the examplefirewall instruction generator206 instructs the selected firewall instance to implement the network traffic rule (block412). For example, thefirewall instruction generator206 generates an instruction including firewall rule configuration information and transmits the instruction to the SDN node112-118,300 implementing the selected firewall instance. On receipt, the firewall instance adds, modifies, and/or removes applicable firewall filtering rules to implement the network traffic rule.
The examplefirewall node identifier204 determines the SDN nodes that are to be routed to the selected firewall instance (block414). Thefirewall node identifier204 selects one of the determined SDN nodes (block416) and thefirewall instruction generator206 instructs the selected SDN node to route network traffic through the selected firewall instance (block418). For example, thefirewall instruction generator206 may instruct one or more gateways, edge routers, and/or core routers to route applicable network traffic to the selected firewall instance (e.g., instead of a firewall instance to which the selected SDN node was previously directing traffic).
The examplefirewall node identifier204 of this example determines whether there are any additional SDN nodes to be configured (block420). If there are additional SDN nodes (as needed address current network conditions and/or the desired firewall configuration responsive to the needs of the current network) (block420), control returns to block416 to select another SDN node. When there are any additional SDN nodes to be configured (block420), the examplefirewall node identifier204 determines whether there are any additional firewall instances to be configured (as needed address current network conditions and/or the desired firewall configuration responsive to the needs of the current network) (block422). If there are additional firewall instances to be configured (block422), control returns to block406 to select another firewall instance. When there are no additional firewall instances (block422), theexample instructions400 ofFIG. 4 end.
FIG. 5 is a flowchart representative of example machinereadable instructions500 which may be executed to implement the example SDN nodes112-118,300 ofFIGS. 1 and/or 3 to implement a distributed firewall policy.
Theexample service manager304 ofFIG. 3 exposes SDN APIs for control by an SDN firewall controller (e.g., theSDN firewall controller110 via thenetwork operating system106 ofFIG. 1) (block502). In some examples, the SDN APIs are public APIs that may be used by other SDN services or applications to control services on theSDN node300. In some other examples, one or more SDN APIs are private APIs that are exposed when thefirewall instance306 is instantiated at theSDN node300.
Theexample service manager304 of the illustrated example determines whether instruction(s) have been received (e.g., from the SDN firewall controller110) to instantiate a firewall (block504). If instruction(s) have been received to instantiate a firewall (block504), theexample service manager304 instantiates a virtual machine for the firewall instance (block506). The example service manager applies firewall node properties (e.g., install firewall application components, basic SDN properties associated with theSDN node300, etc.) to the virtual machine (block508). In some examples, thefirewall instance306 is executed upon application of the firewall properties and begins filtering network traffic received at the SDN node300 (e.g., at the packet forwarder302) in accordance with the properties of thefirewall instance306.
Theexample service manger304 ofFIG. 3 registers thefirewall instance306 with the network (e.g., with the operating system106) and/or with theSDN firewall controller110. For example, a registration message may be returned to theSDN firewall controller110 as a response to an access of the API by theSDN firewall controller110.
After registering the firewall instance306 (block510), and/or if instructions have not been received to instantiate the firewall instance (block504), theexample service manager304 ofFIG. 3 determines whether instruction(s) have been received to enforce firewall rule(s) at thefirewall instance306 of the SDN node (block512). For example, theservice manager304 may receive configuration information from theSDN firewall controller110 via the same API, a different public API, and/or a private, firewall-specific API. The instruction(s) to enforce a firewall rule may include, for example, new and/or updated traffic filtering rules, load balancing rules, and/or any other firewall implementation rules determined by theSDN firewall controller110 to be implemented (at least partially) at thefirewall instance306.
If instruction(s) to enforce firewall rules have been received (block512), theexample service manager304 and/or thefirewall instance306 configure thefirewall instance306 to enforce the firewall rule (block514). After configuring the firewall instance306 (block514), or if instruction(s) to enforce the firewall rule have not been received (block512), theexample instructions500 ofFIG. 5 end. In some other examples, blocks504-514 may be repeated to maintain exposed SDN APIs for configuration by the control plane102 (e.g., via the SDN firewall controller110).
FIG. 6 is a block diagram of anexample processor platform600 capable of executing the instructions ofFIGS. 4 and/or 5 to implement theSDN firewall controller110 and/or theSDN node300 ofFIGS. 1, 2, and/or3. Theprocessor platform600 can be, for example, a server, a personal computer, or any other type of computing device.
Theprocessor platform600 of the illustrated example includes aprocessor612. Theprocessor612 of the illustrated example is hardware. For example, theprocessor612 can be implemented by one or more integrated circuits, logic circuits, microprocessors or controllers from any desired family or manufacturer.
Theprocessor612 of the illustrated example includes a local memory613 (e.g., a cache). Theprocessor612 of the illustrated example is in communication with a main memory including avolatile memory614 and anon-volatile memory616 via abus618. Thevolatile memory614 may be implemented by Synchronous Dynamic Random Access Memory (SDRAM), Dynamic Random Access Memory (DRAM), RAMBUS Dynamic Random Access Memory (RDRAM) and/or any other type of random access memory device. Thenon-volatile memory616 may be implemented by flash memory and/or any other desired type of memory device. Access to themain memory614,616 is controlled by a memory controller.
Theprocessor platform600 of the illustrated example also includes aninterface circuit620. Theinterface circuit620 may be implemented by any type of interface standard, such as an Ethernet interface, a universal serial bus (USB), and/or a PCI express interface.
In the illustrated example, one ormore input devices622 are connected to theinterface circuit620. The input device(s)622 permit(s) a user to enter data and commands into theprocessor612. The input device(s) can be implemented by, for example, an audio sensor, a microphone, a camera (still or video), a keyboard, a button, a mouse, a touchscreen, a track-pad, a trackball, isopoint and/or a voice recognition system.
One ormore output devices624 are also connected to theinterface circuit620 of the illustrated example. Theoutput devices624 can be implemented, for example, by display devices (e.g., a light emitting diode (LED), an organic light emitting diode (OLED), a liquid crystal display, a cathode ray tube display (CRT), a touchscreen, a tactile output device, a light emitting diode (LED), a printer and/or speakers). Theinterface circuit620 of the illustrated example, thus, typically includes a graphics driver card, a graphics driver chip or a graphics driver processor.
Theinterface circuit620 of the illustrated example also includes a communication device such as a transmitter, a receiver, a transceiver, a modem and/or network interface card to facilitate exchange of data with external machines (e.g., computing devices of any kind) via a network626 (e.g., an Ethernet connection, a digital subscriber line (DSL), a telephone line, coaxial cable, a cellular telephone system, etc.).
Theprocessor platform600 of the illustrated example also includes one or moremass storage devices628 for storing software and/or data. Examples of suchmass storage devices628 include floppy disk drives, hard drive disks, compact disk drives, Blu-ray disk drives, RAID systems, and digital versatile disk (DVD) drives.
The codedinstructions632 ofFIGS. 4 and/or 5 may be stored in themass storage device628, in thevolatile memory614, in thenon-volatile memory616, and/or on a removable tangible computer readable storage medium such as a CD or DVD.
Examples disclosed herein have advantages over known firewalls that include reducing the complexity of network design and network security implementation. Examples disclosed herein also enable deployment of security policies throughout entire networks such that, in contrast to networks using known firewalls, network attacks or other restricted traffic can be blocked prior to exposing the network nodes to the attacks or restricted traffic.
Examples disclosed herein also increase the performance of entire networks (relative to known firewalls) because the network is freed from carrying restricted traffic additional hops toward the destination before the traffic can be filtered. Examples disclosed herein may be structured to distribute the firewall at or closer to the edges of the network, which allows each firewall to filter smaller numbers of traffic flows, and (in contrast to known centralized firewalls that must have highly-scalable throughput) to successfully block large numbers of traffic flows at concentrated locations. In some cases, the entire software-defined network can be configured to function as a firewall at each SDN node, rather than as a network that includes attached firewalls.
Relative to known firewalls, examples disclosed herein are more adaptable to current network conditions. For example, example firewalls disclosed herein are adaptable to current users and/or traffic patterns of a network that enable the firewall policies of the network to be efficiently applied.
Although certain example methods, apparatus and articles of manufacture have been disclosed herein, the scope of coverage of this patent is not limited thereto. On the contrary, this patent covers all methods, apparatus and articles of manufacture fairly falling within the scope of the claims of this patent.

Claims (14)

What is claimed is:
1. A method, comprising:
identifying, by executing an instruction with one or more processors, at a control plane, a network traffic rule to implement in a network;
determining, by executing an instruction with the one or more processors, at the control plane, a first firewall of a distributed firewall in the network to enforce the network traffic rule, the first firewall being instantiated by a first firewall instance at a second software-defined network node and by a second firewall instance at a third software-defined network node;
instructing the second software-defined network node to instantiate the first firewall instance by instructing the second software-defined network node to instantiate a first virtual machine to implement a first firewall application;
instructing the third software-defined network node to instantiate the second firewall instance by instructing the third software-defined network node to instantiate a second virtual machine to implement a second firewall application;
configuring a first software-defined network node to route network traffic to the first firewall; and
in response to determining at least some of the network traffic forwarded by the first software-defined network node to at least one of the second or third software-defined network nodes is being dropped by at least one of the first firewall instance or the second firewall instance, causing the first software-defined network node to implement a third firewall instance.
2. The method defined inclaim 1, wherein the first, second and third firewall instances of the first firewall operate to form at least a portion of the distributed firewall.
3. The method defined inclaim 1, further including:
analyzing network event data collected at the first and second firewall instances; and
based on the analyzing, determining at least some of the network traffic forwarded by the first software-defined network node to the second software-defined network node is being dropped by the first firewall instance, or at least some of the network traffic forwarded by the first software-defined network node to the third software-defined network node is being dropped by the second firewall instance.
4. The method defined inclaim 1, further including:
analyzing network event data collected from a plurality of firewall instances, including the first and the second firewall instances; and
based on the analyzing, generating at least one of a remedial rule or a remedial policy to be implemented by at least some of the plurality of firewall instances.
5. The method defined inclaim 1, further including:
identifying a second network traffic rule that affects a subset of a plurality of software-defined network nodes, the plurality of software-defined network nodes including the first, second and third software-defined network nodes; and
causing firewall instances instantiated at the subset of the plurality of software-defined network nodes to enforce the second network traffic rule.
6. A first software-defined network node, comprising:
a processor; and
a memory including computer readable instructions which, when executed, cause the processor to perform operations, the operations including:
identifying, at a control plane, a network traffic rule to implement in a network;
determining, at the control plane, a first firewall of a distributed firewall in the network to enforce the network traffic rule;
configuring a second software-defined network node to route network traffic to the first firewall, the first firewall being instantiated by a first firewall instance at a third software-defined network node and by a second firewall instance at a fourth software-defined network node;
directing the third software-defined network node to instantiate the first firewall instance by directing the third software-defined network node to instantiate a first virtual machine to implement a first firewall application;
directing the fourth software-defined network node to instantiate the second firewall instance by directing the fourth software-defined network node to instantiate a second virtual machine to implement a second firewall application; and
in response to determining at least some of the network traffic forwarded by the second software-defined network node to at least one of the third software-defined network node or the fourth software-defined network node is being dropped by at least one of the first firewall instance or the second firewall instance, causing the second software-defined network node to implement a third firewall instance.
7. The first software-defined network node defined inclaim 6, the operations further including:
analyzing network event data collected at the first and second firewall instances; and
based on the analyzing of the network event data, determining at least some of the network traffic forwarded by the second software-defined network node to the third software-defined network node is being dropped at the first firewall instance, or at least some of the network traffic forwarded by the second software-defined network node to the fourth software-defined network node is being dropped at the second firewall instance.
8. The first software-defined network node defined inclaim 6, the operations further including:
analyzing network event data collected from a plurality of firewall instances, including the first and the second firewall instances;
based on the analyzing of the network event data, generating at least one of a remedial rule or a remedial policy to be implemented by at least some of the plurality of firewall instances.
9. The first software-defined network node defined inclaim 6, the operations further including:
identifying a second network traffic rule that affects a subset of a plurality of software-defined network nodes, the plurality of software-defined network nodes including at least the second, third and fourth software-defined network nodes; and
causing firewall instances instantiated at the subset of the plurality of software-defined network nodes to enforce the second network traffic rule.
10. A non-transitory computer readable medium comprising computer readable instructions which, when executed, cause a processor of a first software-defined network node to perform operations including:
identifying, at a control plane, a network traffic rule to implement in a network;
determining, at the control plane, a first firewall of a distributed firewall in the network to enforce the network traffic rule;
configuring a second software-defined network node to route network traffic to the first firewall, the first firewall being instantiated by a first firewall instance at a third software-defined network node and by a second firewall instance at a fourth software-defined network node;
directing the third software-defined network node to instantiate the first firewall instance by directing the third software-defined network node to instantiate a first virtual machine to implement a first firewall application;
directing the fourth software-defined network node to instantiate the second firewall instance by directing the fourth software-defined network node to instantiate a second virtual machine to implement a second firewall application; and
in response to determining at least some of the network traffic forwarded by the second software-defined network node to at least one of the third software-defined network node or the fourth software-defined network nodes is being dropped by at least one of the first firewall instance or the second firewall instance, causing the second software-defined network node to implement a third firewall instance.
11. The non-transitory computer readable medium defined inclaim 10, the operations further including:
analyzing network event data collected at the first and second firewall instances; and
based on the analyzing of the network event data, determining at least some of the network traffic forwarded by the second software-defined network node to the third software-defined network node is being dropped at the first firewall instance, or at least some of the network traffic forwarded by the second software-defined network node to the fourth software-defined network node is being dropped at the second firewall instance.
12. The non-transitory computer readable medium defined inclaim 10, the operations further including:
analyzing network event data collected from a plurality of firewall instances, including the first and the second firewall instances; and
based on the analyzing of the network event data, generating at least one of a remedial rule or a remedial policy to be implemented by at least some of the plurality of firewall instances.
13. The non-transitory computer readable medium defined inclaim 10, the operations further including:
identifying a second network traffic rule that affects a subset of a plurality of software-defined network nodes, the plurality of software-defined network nodes including at least the second, third and fourth software-defined network nodes; and
causing firewall instances instantiated at the subset of the plurality of software-defined network nodes to enforce the second network traffic rule.
14. The non-transitory computer readable medium defined inclaim 10, wherein the first, second and third firewall instances operate to form the first firewall of the distributed firewall.
US15/594,0102014-05-062017-05-12Methods and apparatus to provide a distributed firewall in a networkExpired - Fee RelatedUS10623373B2 (en)

Priority Applications (4)

Application NumberPriority DateFiling DateTitle
US15/594,010US10623373B2 (en)2014-05-062017-05-12Methods and apparatus to provide a distributed firewall in a network
US16/836,514US11044232B2 (en)2014-05-062020-03-31Methods and apparatus to provide a distributed firewall in a network
US17/321,566US11665140B2 (en)2014-05-062021-05-17Methods and apparatus to provide a distributed firewall in a network
US18/302,030US12166746B2 (en)2014-05-062023-04-18Methods and apparatus to provide a distributed firewall in a network

Applications Claiming Priority (2)

Application NumberPriority DateFiling DateTitle
US14/271,185US9674147B2 (en)2014-05-062014-05-06Methods and apparatus to provide a distributed firewall in a network
US15/594,010US10623373B2 (en)2014-05-062017-05-12Methods and apparatus to provide a distributed firewall in a network

Related Parent Applications (1)

Application NumberTitlePriority DateFiling Date
US14/271,185ContinuationUS9674147B2 (en)2014-05-062014-05-06Methods and apparatus to provide a distributed firewall in a network

Related Child Applications (1)

Application NumberTitlePriority DateFiling Date
US16/836,514ContinuationUS11044232B2 (en)2014-05-062020-03-31Methods and apparatus to provide a distributed firewall in a network

Publications (2)

Publication NumberPublication Date
US20170250955A1 US20170250955A1 (en)2017-08-31
US10623373B2true US10623373B2 (en)2020-04-14

Family

ID=54368832

Family Applications (5)

Application NumberTitlePriority DateFiling Date
US14/271,185Active2035-08-07US9674147B2 (en)2014-05-062014-05-06Methods and apparatus to provide a distributed firewall in a network
US15/594,010Expired - Fee RelatedUS10623373B2 (en)2014-05-062017-05-12Methods and apparatus to provide a distributed firewall in a network
US16/836,514ActiveUS11044232B2 (en)2014-05-062020-03-31Methods and apparatus to provide a distributed firewall in a network
US17/321,566Active2034-07-11US11665140B2 (en)2014-05-062021-05-17Methods and apparatus to provide a distributed firewall in a network
US18/302,030ActiveUS12166746B2 (en)2014-05-062023-04-18Methods and apparatus to provide a distributed firewall in a network

Family Applications Before (1)

Application NumberTitlePriority DateFiling Date
US14/271,185Active2035-08-07US9674147B2 (en)2014-05-062014-05-06Methods and apparatus to provide a distributed firewall in a network

Family Applications After (3)

Application NumberTitlePriority DateFiling Date
US16/836,514ActiveUS11044232B2 (en)2014-05-062020-03-31Methods and apparatus to provide a distributed firewall in a network
US17/321,566Active2034-07-11US11665140B2 (en)2014-05-062021-05-17Methods and apparatus to provide a distributed firewall in a network
US18/302,030ActiveUS12166746B2 (en)2014-05-062023-04-18Methods and apparatus to provide a distributed firewall in a network

Country Status (1)

CountryLink
US (5)US9674147B2 (en)

Families Citing this family (41)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US9674147B2 (en)2014-05-062017-06-06At&T Intellectual Property I, L.P.Methods and apparatus to provide a distributed firewall in a network
US9825913B2 (en)2014-06-042017-11-21Nicira, Inc.Use of stateless marking to speed up stateful firewall rule processing
DE102015107073A1 (en)*2014-09-082016-03-10Rheinmetall Defence Electronics Gmbh Device and method for controlling a communication network
US9438560B2 (en)*2014-12-312016-09-06Symantec CorporationSystems and methods for automatically applying firewall policies within data center applications
CN105827425B (en)*2015-01-082020-07-24华为技术有限公司Network control method and device
US20160285735A1 (en)*2015-03-232016-09-29Brocade Communications Systems, Inc.Techniques for efficiently programming forwarding rules in a network system
US10911353B2 (en)2015-06-172021-02-02Extreme Networks, Inc.Architecture for a network visibility system
US10771475B2 (en)2015-03-232020-09-08Extreme Networks, Inc.Techniques for exchanging control and configuration information in a network visibility system
US10185638B2 (en)*2015-09-292019-01-22NeuVector, Inc.Creating additional security containers for transparent network security for application containers based on conditions
CN105338003B (en)*2015-12-092018-05-11中国电子科技集团公司第二十八研究所A kind of method of realizing fireproof wall applied to software defined network
WO2017127102A1 (en)*2016-01-222017-07-27Nokia Solutions And Networks OyApplication relocation between clouds
US11038845B2 (en)*2016-02-232021-06-15Nicira, Inc.Firewall in a virtualized computing environment using physical network interface controller (PNIC) level firewall rules
US10454777B2 (en)*2016-04-062019-10-22Omni Ai, Inc.Network data processing driver for a cognitive artifical intelligence system
US10666569B1 (en)*2016-09-232020-05-26Amazon Technologies, Inc.Journal service with named clients
US10805238B1 (en)2016-09-232020-10-13Amazon Technologies, Inc.Management of alternative resources
US20180091369A1 (en)*2016-09-282018-03-29Intel CorporationTechniques to detect anomalies in software defined networking environments
US10958623B2 (en)*2017-05-262021-03-23Futurewei Technologies, Inc.Identity and metadata based firewalls in identity enabled networks
US10951414B2 (en)*2018-01-292021-03-16Hub data security Ltd.Method for securing digital currency
US10742607B2 (en)*2018-02-062020-08-11Juniper Networks, Inc.Application-aware firewall policy enforcement by data center controller
US11252258B2 (en)2018-09-272022-02-15Hewlett Packard Enterprise Development LpDevice-aware dynamic protocol adaptation in a software-defined network
KR102160187B1 (en)2018-11-202020-09-25광주과학기술원Apparatus and method deploying firewall on SDN, and network using the same
US11233816B2 (en)*2019-02-152022-01-25Verizon Patent And Licensing Inc.User-determined network traffic filtering
US11470017B2 (en)*2019-07-302022-10-11At&T Intellectual Property I, L.P.Immersive reality component management via a reduced competition core network component
US11057348B2 (en)*2019-08-222021-07-06Saudi Arabian Oil CompanyMethod for data center network segmentation
US11563722B2 (en)*2019-08-222023-01-24Hewlett Packard Enterprise Development LpFirewall coordination in a network
US11606310B2 (en)2020-09-282023-03-14Vmware, Inc.Flow processing offload using virtual port identifiers
US11875172B2 (en)2020-09-282024-01-16VMware LLCBare metal computer for booting copies of VM images on multiple computing devices using a smart NIC
US20240129232A1 (en)*2020-12-312024-04-18Aviatrix Systems, Inc.Systems and methods for load balancing network traffic at firewalls deployed in a cloud computing environment
US12401622B1 (en)*2021-06-212025-08-26Amazon Technologies, Inc.Generating a plan for routing updates for discovered resources at networks with deployed firewalls
US12218839B1 (en)*2021-11-012025-02-04Juniper Networks, Inc.Service function chaining with session-based routing
US11995024B2 (en)2021-12-222024-05-28VMware LLCState sharing between smart NICs
US12229578B2 (en)2021-12-222025-02-18VMware LLCTeaming of smart NICs
CN114500058B (en)*2022-01-282024-07-12优刻得科技股份有限公司Network access control method, system, equipment and medium
US12373237B2 (en)2022-05-272025-07-29VMware LLCLogical memory addressing by smart NIC across multiple devices
US11928367B2 (en)2022-06-212024-03-12VMware LLCLogical memory addressing for network devices
US11899594B2 (en)2022-06-212024-02-13VMware LLCMaintenance of data message classification cache on smart NIC
US11928062B2 (en)2022-06-212024-03-12VMware LLCAccelerating data message classification with smart NICs
US12381849B2 (en)*2022-10-282025-08-05International Business Machines CorporationPolymorphic dynamic firewall
US12388874B2 (en)*2023-04-132025-08-12Palo Alto Networks, Inc.SD-WAN IOT security posture management
DE102023002589B4 (en)2023-06-262025-01-23Mercedes-Benz Group AG network system and vehicle
US20250030737A1 (en)*2023-07-202025-01-23Cisco Technology, Inc.Integrating sd-wan constructs with sase security policies

Citations (24)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US5922051A (en)1997-05-141999-07-13Ncr CorporationSystem and method for traffic management in a network management system
US6226372B1 (en)1998-12-112001-05-01Securelogix CorporationTightly integrated cooperative telecommunications firewall and scanner with distributed capabilities
US6317837B1 (en)1998-09-012001-11-13Applianceware, LlcInternal network node with dedicated firewall
WO2002044871A2 (en)2000-11-292002-06-06Security And Intrusion Detection Research Labs, LlcScalable system for monitoring network system and components and methodology therefore
US6584454B1 (en)1999-12-312003-06-24Ge Medical Technology Services, Inc.Method and apparatus for community management in remote system servicing
US20030167410A1 (en)2002-03-012003-09-04Rigstad Peter M.System for providing firewall to a communication device and method and device of same
US20040015719A1 (en)2002-07-162004-01-22Dae-Hyung LeeIntelligent security engine and intelligent and integrated security system using the same
US20060129808A1 (en)2004-11-192006-06-15Microsoft CorporationMethod and system for distributing security policies
US7818565B2 (en)2002-06-102010-10-19Quest Software, Inc.Systems and methods for implementing protocol enforcement rules
US7844731B1 (en)2003-11-142010-11-30Symantec CorporationSystems and methods for address spacing in a firewall cluster
US8032933B2 (en)2004-03-102011-10-04Rocksteady Technologies, LlcDynamically adaptive network firewalls and method, system and computer program product implementing same
US8089187B2 (en)2008-03-032012-01-03Budde William AHigh-efficiency, variable-speed permanent magnet motor and control system
EP2466832A1 (en)2010-12-162012-06-20Openet Telecom Ltd.Methods, systems and devices for dynamic context-based routing using a topology tree
US20120174184A1 (en)*2004-09-302012-07-05Arn HyndmanMethod and Apparatus for Enabling Enhanced Control of Traffic Propagation Through a Network Firewall
US8307419B2 (en)1999-12-292012-11-06Intel CorporationSystem and method for regulating communications to or from an application
US20130152188A1 (en)*2011-12-122013-06-13Mcafee, Inc.Port allocation in a firewall cluster
WO2013139298A1 (en)2012-03-222013-09-26Huawei Technologies Co., Ltd.Supporting software defined networking with application layer traffic optimization
EP2648370A1 (en)2012-04-042013-10-09Cisco Technology, Inc.Location-Aware Virtual Service Provisioning in a Hybrid Cloud Environment
US20130272253A1 (en)2010-11-302013-10-17Koninklijke Kpn N.V.Dynamic Assignment of a Serving Network Node
US8565108B1 (en)2010-09-282013-10-22Amazon Technologies, Inc.Network data transmission analysis
US8578015B2 (en)2002-04-292013-11-05Harris CorporationTracking traffic in a mobile ad hoc network
EP2667548A1 (en)2011-03-022013-11-27Huawei Technologies Co., Ltd.Network traffic volume distribution method, network node, and system
US8612744B2 (en)2011-02-102013-12-17Varmour Networks, Inc.Distributed firewall architecture using virtual machines
US8661153B2 (en)2002-10-162014-02-25Rpx CorporationSystem and method for dynamic bandwidth provisioning

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US20030084331A1 (en)*2001-10-262003-05-01Microsoft CorporationMethod for providing user authentication/authorization and distributed firewall utilizing same
US7421734B2 (en)*2003-10-032008-09-02Verizon Services Corp.Network firewall test methods and apparatus
AU2005328336B2 (en)*2004-12-222011-09-15Wake Forest UniversityMethod, systems, and computer program products for implementing function-parallel network firewall
EP1864226B1 (en)*2005-03-282013-05-15Wake Forest UniversityMethods, systems, and computer program products for network firewall policy optimization
US8291483B2 (en)*2007-04-302012-10-16Hewlett-Packard Development Company, L.P.Remote network device with security policy failsafe
US8112800B1 (en)*2007-11-082012-02-07Juniper Networks, Inc.Multi-layered application classification and decoding
US9270639B2 (en)*2011-02-162016-02-23Fortinet, Inc.Load balancing among a cluster of firewall security devices
US10333827B2 (en)*2012-04-112019-06-25Varmour Networks, Inc.Adaptive session forwarding following virtual machine migration detection
US8955093B2 (en)*2012-04-112015-02-10Varmour Networks, Inc.Cooperative network security inspection
US8949931B2 (en)*2012-05-022015-02-03Cisco Technology, Inc.System and method for monitoring application security in a network environment
US9674147B2 (en)2014-05-062017-06-06At&T Intellectual Property I, L.P.Methods and apparatus to provide a distributed firewall in a network
US10050938B2 (en)*2014-10-312018-08-14Jeffrey H. MoskowHighly secure firewall system
US9294442B1 (en)*2015-03-302016-03-22Varmour Networks, Inc.System and method for threat-driven security policy controls

Patent Citations (26)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US5922051A (en)1997-05-141999-07-13Ncr CorporationSystem and method for traffic management in a network management system
US6317837B1 (en)1998-09-012001-11-13Applianceware, LlcInternal network node with dedicated firewall
US6226372B1 (en)1998-12-112001-05-01Securelogix CorporationTightly integrated cooperative telecommunications firewall and scanner with distributed capabilities
US8307419B2 (en)1999-12-292012-11-06Intel CorporationSystem and method for regulating communications to or from an application
US6584454B1 (en)1999-12-312003-06-24Ge Medical Technology Services, Inc.Method and apparatus for community management in remote system servicing
WO2002044871A2 (en)2000-11-292002-06-06Security And Intrusion Detection Research Labs, LlcScalable system for monitoring network system and components and methodology therefore
US20030167410A1 (en)2002-03-012003-09-04Rigstad Peter M.System for providing firewall to a communication device and method and device of same
US8578015B2 (en)2002-04-292013-11-05Harris CorporationTracking traffic in a mobile ad hoc network
US7818565B2 (en)2002-06-102010-10-19Quest Software, Inc.Systems and methods for implementing protocol enforcement rules
US20040015719A1 (en)2002-07-162004-01-22Dae-Hyung LeeIntelligent security engine and intelligent and integrated security system using the same
US8661153B2 (en)2002-10-162014-02-25Rpx CorporationSystem and method for dynamic bandwidth provisioning
US7844731B1 (en)2003-11-142010-11-30Symantec CorporationSystems and methods for address spacing in a firewall cluster
US8032933B2 (en)2004-03-102011-10-04Rocksteady Technologies, LlcDynamically adaptive network firewalls and method, system and computer program product implementing same
US8397282B2 (en)2004-03-102013-03-12Rpx CorporationDynamically adaptive network firewalls and method, system and computer program product implementing same
US20120174184A1 (en)*2004-09-302012-07-05Arn HyndmanMethod and Apparatus for Enabling Enhanced Control of Traffic Propagation Through a Network Firewall
US20060129808A1 (en)2004-11-192006-06-15Microsoft CorporationMethod and system for distributing security policies
US7509493B2 (en)2004-11-192009-03-24Microsoft CorporationMethod and system for distributing security policies
US8089187B2 (en)2008-03-032012-01-03Budde William AHigh-efficiency, variable-speed permanent magnet motor and control system
US8565108B1 (en)2010-09-282013-10-22Amazon Technologies, Inc.Network data transmission analysis
US20130272253A1 (en)2010-11-302013-10-17Koninklijke Kpn N.V.Dynamic Assignment of a Serving Network Node
EP2466832A1 (en)2010-12-162012-06-20Openet Telecom Ltd.Methods, systems and devices for dynamic context-based routing using a topology tree
US8612744B2 (en)2011-02-102013-12-17Varmour Networks, Inc.Distributed firewall architecture using virtual machines
EP2667548A1 (en)2011-03-022013-11-27Huawei Technologies Co., Ltd.Network traffic volume distribution method, network node, and system
US20130152188A1 (en)*2011-12-122013-06-13Mcafee, Inc.Port allocation in a firewall cluster
WO2013139298A1 (en)2012-03-222013-09-26Huawei Technologies Co., Ltd.Supporting software defined networking with application layer traffic optimization
EP2648370A1 (en)2012-04-042013-10-09Cisco Technology, Inc.Location-Aware Virtual Service Provisioning in a Hybrid Cloud Environment

Non-Patent Citations (9)

* Cited by examiner, † Cited by third party
Title
Anderson, Thomas, et al. "Overcoming the Internet impasse through virtualization," Computer 38.4 (Apr. 2005): 34-41.
Arif, Moiz, Abdullah Nafis Khan, and Saad Iftikhar. "Virtualization in Networks A survey," Transactions on Networks and Communications 1.1 (Dec. 19, 2013) (15 pages).
Chowdhury, NM Mosharaf Kabir, and Raouf Boutaba. "Network virtualization: state of the art and research challenges." Communications Magazine, IEEE 47.7 (Jul. 2009): 20-26.
Jaeger, R., et al. "Integrating Active Networking and Commercial Grade Routing Platforms." (Mar. 20, 2000): (10 pages).
Nygren, Erik L., Stephen J. Garland, and M. Frans Kaashoek. "PAN: A high-performance active network node supporting multiple mobile code systems." Open Architectures and Network Programming Proceedings, 1999. OPENARCH'99. 1999 IEEE Second Conference on. IEEE, 1999 (15 pages).
Smith, Jonathan M., et al. "Activating networks: a progress report." Computer 32.4 (Nov. 13, 1998): (20 pages).
United States Patent and Trademark Office, "Non-Final Office Action", issued in connection with U.S. Appl. No. 14/271,185, dated Sep. 13, 2016 (15 pages).
United States Patent and Trademark Office, "Notice of Allowance", issued in connection with U.S. Appl. No. 14/271,185, dated Jan. 27, 2017 (10 pages).
Wilkinson, Glenn. "An Investigation into Network Emulation and the Development of a Custom Network." (Nov. 2007): (64 pages).

Also Published As

Publication numberPublication date
US20230254283A1 (en)2023-08-10
US11665140B2 (en)2023-05-30
US20210273912A1 (en)2021-09-02
US20170250955A1 (en)2017-08-31
US12166746B2 (en)2024-12-10
US9674147B2 (en)2017-06-06
US20200228501A1 (en)2020-07-16
US11044232B2 (en)2021-06-22
US20150326532A1 (en)2015-11-12

Similar Documents

PublicationPublication DateTitle
US12166746B2 (en)Methods and apparatus to provide a distributed firewall in a network
US12141599B2 (en)Architecture of networks with middleboxes
US10498765B2 (en)Virtual infrastructure perimeter regulator
US9203703B2 (en)Packet conflict resolution
US9602404B2 (en)Last-hop processing for reverse direction packets
US20150117454A1 (en)Dynamic Generation of Flow Entries for Last-Hop Processing
AU2018204247B2 (en)Architecture of networks with middleboxes

Legal Events

DateCodeTitleDescription
STPPInformation on status: patent application and granting procedure in general

Free format text:DOCKETED NEW CASE - READY FOR EXAMINATION

ASAssignment

Owner name:AT&T INTELLECTUAL PROPERTY I, L.P., GEORGIA

Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GRANT, DUSTIN;GUPTA, SANDEEP;NARAHARI, SRIDHAR;AND OTHERS;SIGNING DATES FROM 20140503 TO 20140506;REEL/FRAME:044742/0090

STPPInformation on status: patent application and granting procedure in general

Free format text:NON FINAL ACTION MAILED

STPPInformation on status: patent application and granting procedure in general

Free format text:RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPPInformation on status: patent application and granting procedure in general

Free format text:NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STCFInformation on status: patent grant

Free format text:PATENTED CASE

FEPPFee payment procedure

Free format text:MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPSLapse for failure to pay maintenance fees

Free format text:PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCHInformation on status: patent discontinuation

Free format text:PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FPLapsed due to failure to pay maintenance fee

Effective date:20240414
[8]ページ先頭
©2009-2025 Movatter.jp